Case Study

We now consider a scheduling problem where some tasks include runnables, a key concept of the AU-Tomotive Open System ARchitecture (AUTOSAR), the open standard for designing the architecture of vehicle software [5]. Runnables represent the functional view of the system and are executed by the runtime of the software component [19]. For their execution they are mapped to tasks and a given runnable can be split across different tasks to introduce parallelism, for instance. In industrial practice, runnables that interact a lot are mapped to the same task, in particular when they perform functions with the same period.

In this example, we consider 3 non-preemptive, periodic tasks T1, T2 and T3, on which have already been mapped some runnables that interact together; we add another independent runnable whose code must be split between tasks T1 and T2:

• the period of task T1 is 100 time units; T1 includes a “fixed part”, independent from the new runnable and whose execution lasts 22 t.u.;

• the period of T2 is 200 t.u.; T2 also has a fixed part lasting 28 t.u.;

• the period of T3 is 400 t.u.; its execution lasts 11 t.u.;

• the period of the runnable is 200 t.u.; its execution lasts 76 t.u.; parameter a denotes the duration of the section that is executed in T1².

The processing unit consists of 2 cores C0 and C1; T3 can only execute on C0 whereas both T1 and T2 can execute on either core. When both cores are idle, the cost is null; when only one core is busy, the cost is equal to 2/t.u.; when both cores are busy, the cost is equal to 3/t.u. Any optimised strategy to divide the runnable over T1 and T2 and to allocate these tasks to C0 or C1 must therefore favour the cases where both cores are in the same state.

Figure 4 presents the model for this problem³. The associated cost function is:2 ∗ (C0 6= C1) + 3 ∗ C0 ∗ C1 + 1000 ∗ W 1 ∗ (R1C0 + R1C1) + W 2 ∗ (R2C0 + R2C1) + W 3 ∗ R3C0

, where the name of a place (e.g. R1C0) represents its marking⁴.

We limit the study of the system to the first 400 t.u., at the end of which T1 has been executed 4 times, T2 twice and T3 once. This will be the marking to reach.

2Every 200 t.u., since T1 is executed twice as often as T2, T1 is running during (22 + a) ∗ 2 = 44 + 2a t.u. whereas T2 is running during 28 + (76 − 2a) = 104 − 2a t.u.

3To ensure a correct access to the cores, we could have added one place for each core and some arcs on each task to capture and release them but the resulting net would have been quite unreadable. Instead, we chose to add 2 integer variables C0 and C1 (both initialised to 0); a variable equal to 0 (resp. 1) obviously means the corresponding core is idle (resp. busy).

4The last term ensures that such cases where an instance of a task is activated while a previous one is running are heavily penalised.

We start by computing the optimal cost with the corresponding parameter values. This is done with Romeo using formula mincost (four==4 and two==2 and one==1). We obtain minimum cost 466 and a ∈ [13, 17].

We can run a consistency check with the following bounded cost reachability property: EF four==4 and two==2 and one==1 and cost≤466. As expected this holds iff a ∈ [13, 17].

We then try to relax the constraint on the cost a bit and for instance we find that property EF four==4 and two==2 and one==1 and cost≤470 holds iff a ∈ [12, 18]. Similarly, the cost can be made less or equal to 500 iff a ∈ [4, 26].

Back to the optimal case, we set a to 17; Romeo provides the following timed trace, in which the notationT1@t1means that transition T1 is fired at date t1:T1C0@61, T2C1@69, T1@100, end1 C0@100, T1C0@100, end1 C0@139, end2 C1@139, T1@200, T2@200, T2C0@261, T1C1@261, T1@300, end1 C1@300, T1C1@303, end2 C0@331, T3C0@331, end3 C0@342, end1 C1@342

From this trace, we obtain the Gantt chart in Figure 5 (above). Setting a to 13 yields another timed trace, resulting in the Gantt chart in Figure 5 (below). In both cases, we can see that both cores are busy during 148 t.u. (and for 11 t.u., only one is idle), which confirms our analysis on the optimised strategy above.

We have proposed a new Petri net-based formalism with parametric timing and cost features, thus merging two classical lines of work. For this formalism, we define an existential problem and two synthesis problems for parametric reachability with cost constraints. We prove that the existential problem is undecidable but we nonetheless give and prove symbolic semi-algorithms for the synthesis problems. We finally propose variants of those synthesis semi-algorithms suitable for integer param-eter valuations and prove their termination when those paramparam-eter valuations are bounded a priori, and

Task1 C0 C1

Task2 C0 C1

Task3 ^C0

0 40 80 120 160 200 240 280 320 360 400t

Task1 C0 C1

Task2 C0 C1

Task3 ^C0

0 40 80 120 160 200 240 280 320 360 400t

Figure 5. Gantt charts for a = 17 (above) and a = 13 (below)

with some other classical assumptions. These symbolic algorithms avoid the explicit enumeration of all possible parameter valuations. They are implemented in our tool Romeo and we have demonstrated their use on a case-study addressing a scheduling problem, and inspired by the AUTOSAR standard.

Further work includes computing the optimal cost as a function of parameters and investigating the case of costs (discrete and rates) as parameters.

References

[1] P. A. Abdulla and R. Mayr. Priced timed Petri nets. Logical Methods in Computer Science, 9(4), 2013.

[2] R. Alur and D. Dill. A Theory of Timed Automata. Theoretical Computer Science, 126(2):183–235, 1994.

[3] R. Alur, T. A. Henzinger, and M. Y. Vardi. Parametric real-time reasoning. In ACM Symposium on Theory of Computing, pages 592–601, 1993.

[4] R. Alur, S. L. Torre, and G. J. Pappas. Optimal paths in weighted timed automata. Theoretical Computer Science, 318(3):297 – 322, 2004.

[5] AUTOSAR. Specification of RTE Software. Technical Report 4.4.0, october 2018.

[6] R. Bagnara, P. Hill, and E. Zaffanella. Not necessarily closed polyhedra and the double description method.

Formal Aspects of Computing, 17:222–257, 2005.

[7] G. Behrmann, A. Fehnker, T. Hune, K. Larsen, P. Pettersson, J. Romijn, and F. Vaandrager. Minimum-cost reachability for priced timed automata. In HSCC 2001 Rome, Italy, pages 147–161. Springer, 2001.

[8] G. Behrmann, K. G. Larsen, and J. I. Rasmussen. Optimal scheduling using priced timed automata.

SIGMETRICS Perform. Eval. Rev., 32(4):34–40, Mar. 2005.

[9] B. Berthomieu and M. Diaz. Modeling and verification of time dependent systems using time Petri nets.

IEEE trans. on soft. eng., 17(3):259–273, 1991.

[10] B. Berthomieu and M. Menasche. An enumerative approach for analyzing time petri nets. In IFIP, pages 41–46. Elsevier Science Publishers, 1983.

[11] H. Boucheneb, D. Lime, B. Parquier, O. H. Roux, and C. Seidner. Optimal reachability in cost time Petri nets. In FORMATS’17, Berlin, Germany, LNCS, 2017.

[12] P. Bouyer, M. Colange, and N. Markey. Symbolic optimal reachability in weighted timed automata. In CAV’16, volume 9779 of LNCS, Toronto, Canada, 2016.

[13] T. Hune, J. Romijn, M. Stoelinga, and F. Vaandrager. Linear parametric model checking of timed automata.

Journal of Logic and Algebraic Programming, 52-53:183–220, 2002.

[14] A. Jovanovi´c. Parametric Verification of Timed Systems. PhD thesis, ´Ecole Centrale Nantes, Nantes, France, 2013.

[15] A. Jovanovi´c, D. Lime, and O. H. Roux. Integer parameter synthesis for real-time systems. IEEE Trans-actions on Software Engineering (TSE), 41(5):445–461, 2015.

[16] K. Larsen, G. Behrmann, E. Brinksma, A. Fehnker, T. Hune, P. Pettersson, and J. Romijn. As cheap as possible: Efficient cost-optimal reachability for priced timed automata. In CAV’01, volume 2102 of LNCS, pages 493–505, 2001.

[17] K. G. Larsen, P. Pettersson, and W. Yi. Model-Checking for Real-Time Systems. In Fundamentals of Computation Theory, volume 965 of LNCS, pages 62–88, 1995.

[18] M. Minsky. Computation: Finite and Infinite Machines. Prentice Hall, 1967.

[19] N. Naumann. AUTOSAR runtime environment and virtual function bus. Technical report, Hasso-Plattner-Institut, 2009.

[20] A. Schrijver. Theory of linear and integer programming. John Wiley & Sons, Inc., New York, NY, USA, 1986.

[21] L.-M. Traonouez, D. Lime, and O. H. Roux. Parametric model-checking of stopwatch Petri nets. Journal of Universal Computer Science, 15(17):3273–3304, 2009.